<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p><span style="font-size: 11pt;">Sent these to the old list address.</span></p>
<div style="color: rgb(0, 0, 0);">
<div id="divRplyFwdMsg" dir="ltr">
<div> </div>
</div>
<div>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">
<p><span style="font-size:11pt">Hello.</span></p>
<p><br>
</p>
<p><span style="font-size:11pt">Below signature is derived from the </span><span style="font-size:11pt">references available within the signature. May be split the signature into two, one for CloudBridge and the other for the SDN version? No pcap is available,
 sorry.</span></p>
<p><br>
</p>
<p><span style="font-size:10pt; font-family:Consolas,Courier,monospace">alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Citrix NetScaler CloudBridge/SD-WN session cookie privilege escalation attempt"; flow:to_server; content:"POST";
 http_method; content:"/global_data/"; fast_pattern:only; http_uri; pcre:"/Cookie\x3a\x20(CGISESSID|CAKEPHP)\x3d[a-f0-9]{32}\x60/H"; reference:cve,2017-6316; reference:url,support.citrix.com/article/CTX225990; reference:url,vuldb.com/?id.104319; reference:url,www.exploit-db.com/exploits/42345/;
 metadata:ruleset community, service http; classtype:attempted-admin; sid:110001; rev:1;)</span></p>
<p><span><br>
</span></p>
<p><span style="font-size:11pt">Thanks.</span></p>
<p><span style="font-size:11pt">YM</span></p>
</div>
</div>
</div>
</div>
</body>
</html>